Password protection for SMEs: The importance of using a password manager

January 29th, 2020
Password protection for SMEs: The importance of using a password manager

Password protection for SMEs: The importance of using a password manager - blog feature image 900x300

Why you need a password manager

We know that an organisation’s biggest vulnerability is often its staff – whether they’re downloading something from a suspicious site, clicking a link in an email without verifying it first, or exposing the system to hackers through weak passwords.

Training, clear guidance and regular, gentle reminders will help you to keep your sensitive business data safe. You should also think about using a password manager across all work devices too, to reduce the risk of a cyber criminal gaining access.

Passwords are required to log into a desktop or laptop, into software, online email accounts finance packages, CRM and more, and it’s hard for people to come up with something that’s both hard to guess and easy for them to remember.

Too often, people reuse their passwords across sites or update them by changing a single letter or digit. Employees will often choose the name of their partner, child, pet or mother’s maiden name because they won’t forget them. However, all of these can usually be found by searching elsewhere online for the user, including social media.

The NCSC (National Cyber Security Centre) recommends using a password manager for both personal and business use, not least because they ‘reduce security friction - making security easier and more convenient’ and making systems better protected.

What is a password manager?

When a new user account is set up, they’re asked for a password. This should be unique to the site or application and be as ‘strong’ as possible so it’s harder to crack. This often means using digits, symbols, and capital letters, so users will often use the same password as they always use so they don’t forget.

A password manager will both generate and store passwords securely, so you don’t use insecure passwords and you don’t need to remember them!

The manager encrypts all of the passwords into a database using a master password. This master is the only one staff need to remember, as the manager logs them automatically onto each website.

One password? Surely that’s the same problem?

It sounds risky having all your passwords stored behind one single password but this password will be as secure as it can be (long, not used on any other site, not biographical or easy to guess).

Secondly, with all leading password managers, you are able to set up two-factor authentication and device control. So, when you log in you will have to enter a code from your phone so they know it's you. It will also check that you are logging in from a known device. So even if someone has your password and access to your 2fa code, they will need to pass multiple security checks before being given access.

As with anything there is a risk, but the risk to security ratio you get with a password manager is worth it.

Password protection for SMEs: The importance of using a password manager - quote image

How does it work?

The first step is to create an account with a password manager provider. If this is something you implement company-wide, ask staff to use their work emails and to choose a strong master password. This should not be the same as the one they use to access their work machine.

You may decide to have a policy in place which states that if they access sites for personal use, such as Facebook or Amazon, they also encrypt these passwords. Alternatively, you may decide to prevent the use of these sites at all from any work-provided device.

Once that’s done, you can choose to have staff stay logged into the password manager, or to ask them to do that before accessing another site. When they visit a website, they simply type in their master password. If they’re logged into the manager, it will automatically fill in the information for them.

Depending on the manager you choose, you can either copy and paste the password from the manager dashboard into the appropriate sign-in page, or use a browser extension to do this automatically. Most will also sync across devices, so if staff use tablets or BYOD, you can protect those in exactly the same way.

Similarly, when they access a site for the first time, the password manager will generate a password for them. To make things easier, it can even be set up to auto-fill personal information that’s used every time an employee signs up for a new account somewhere.

You can also use the password manager to give trusted third parties, such as administrators, access to your accounts without them needing to know your login details. They need to have an account with the same password manager as you, and then you can invite them to log in securely to whichever sites they need.

This is helpful if you use a social media manager, for example, to update blogs on your website, or to post on a social platform on your behalf. The password manager will allow them to login but not see the password, this allows you to control who has access to those passwords without giving them the password. Much easier to manage if someone leaves the organisation.

How to choose a password manager

There are so many options available that it can be hard to choose the right one.

To save time and effort, you may decide it’s easier to use whichever password manager is integrated with your web browser (Firefox, Microsoft Edge, Chrome etc). However, this is not recommended, because none of these will have the same capabilities as a standalone solution.

It’s also worth bearing in mind that some of these, including Chrome, don’t actually encrypt your passwords when they save them, so anyone could access them and compromise your data.

So, think about your company needs:

  • how many staff you have,
  • whether they work from home or in multiple locations,
  • where and how you store and secure your data.

Many password managers are free, but offer paid upgrades to give better functionality.
Some are cloud-based and others are device-based and sit only on the computer they’re installed on (particularly useful for the more secure focused). You can even use one which tells you if a password has been leaked in a security breach before you use it.

Make a list of the key factors that will help you decide, and then do some research. Involve your internal IT department if you have one, or seek advice from an IT support provider like ATG. They should be able to recommend the right password manager for your needs and help you with the setup.

AT ATG our managed password management tools, not only allow you to safely create, store and encrypt passwords but also give you visibility of who has access to what across your organisation. Don’t worry nobody can see a password! Get in touch today to discuss your options.